top of page
Writer's pictureMaida Barrientos

How to write a privacy policy: 2022 Regulations

Updated: May 27

User privacy has become a commodity in today's volatile digital environment. Because of the uproar over privacy concerns, many privacy laws have been tightened around the world.

While each country has its own regulatory bodies, data collection is governed in a similar manner.

Misuse of user data in the past has resulted in stricter privacy practices, increased regulatory oversight, and, as a result, higher fines if you disobey.

Why does my website require a privacy policy?

If you engage in any type of online commercial activity, your website must include a comprehensive privacy policy, especially if your business operations are based in a highly regulated area.

Europe, for example, has enacted a General Data Protection Regulation (GDPR) law that regulates data privacy and imposes severe penalties on companies that fail to meet their obligations.

The GDPR is only applicable in Europe and the European Economic Area (EEA), as well as foreign companies doing business in this region.

Canada has PIPEDA (Personal Information Protection and Electronic Documents Act) that controls how you use, disclose and collect information.

The USA doesn’t have a dedicated federal data privacy law similar to GDPR, but it boasts a set of separate national laws and acts that had been put in place to ensure privacy compliance, such as:

  1. COPPAChildren’s Online Privacy Protection Act which controls how you can collect online information about children under 13 years of age, enforced by the Federal Trade Commission

  2. CCPACalifornia Consumer Privacy Act which deals which privacy rights and consumer protection in California

  3. CalOPPACalifornia Online Privacy Protection Act which requires online services and commercial websites to include a privacy policy on their website

So, why does your website require a privacy policy?

Canada has PIPEDA (Personal Information Protection and Electronic Documents Act) that controls how you use, disclose and collect information.

The USA doesn’t have a dedicated federal data privacy law similar to GDPR, but it boasts a set of separate national laws and acts that had been put in place to ensure privacy compliance, such as:

  1. COPPAChildren’s Online Privacy Protection Act which controls how you can collect online information about children under 13 years of age, enforced by the Federal Trade Commission

  2. CCPACalifornia Consumer Privacy Act which deals which privacy rights and consumer protection in California

  3. CalOPPACalifornia Online Privacy Protection Act which requires online services and commercial websites to include a privacy policy on their website

So, why does your website require a privacy policy?

Because it is required by law in the majority of countries. If you operate in any of these countries, you will face harsh monetary penalties if you do not follow local rules and regulations or federal law.

For example, British Airways was initially fined over $200 million for failing to protect their users' privacy and falling victim to a data breach.

While the fine was later reduced to around $30 million, it shows that failure to comply can have serious consequences.

How to write a privacy policy for a website?

There are a couple of main ways to go about writing the company’s privacy policy legal document, namely:

  1. Hiring a law firm: Reliable legal advice, but also the most expensive option out there. Having your privacy statement drafted by lawyers can cost anywhere from $275 for simple policies to over $5,000 for complex policies.

  2. Writing it yourself: The cheapest, but the most difficult and time-consuming. If you’re not very familiar with rules and regulations, you may fail to include important information and risk your business.

  3. Using a privacy notice template: The quickest, cheapest, and easiest way to go about handling your website privacy policy.

So, in a matter of minutes, you can issue bulletproof privacy policies and finish them off with a legitimate signature. This is not only cost-effective, but it also saves you a lot of time in the long run.

Regardless of which option you choose, make sure you've crossed all of your t's and dotted all of your i's.

The only way to know if you have a good privacy policy is to know what you need to include. The safest bet is to use a pre-made privacy policy template, but if you enjoy getting your hands dirty, you can do it yourself.

01. Include your business name and contact information

The first rule of writing your online privacy policy is to use plain language with correct legal terms, without overcomplicating it.

At the beginning of the document, you should list your company’s information, namely address, name, email address and phone number.

We also recommend encouraging your website visitors to use the previously mentioned information to contact you in case they have any questions or concerns regarding the policy.

This shows that your company is transparent, has nothing to hide and encourages open communication, which is always a good look.

02. Mention what type of information you collect

The term ”personal data’‘ is very exhaustive and more complex than you might think. It does include the regular stuff like credit card information, IP address and phone number, but also less conspicuous items like location, number plates and other online identifiers.

Personal data describes any ”the physical, physiological, genetic, mental, commercial, cultural or social identity” that are specific to the subject.

Make sure to use specific terms instead of broad ones.

For example, instead of saying ”we collect contact information,” say ”we collect your telephone number, email address and physical address.” This ensures that there’s no confusion that can lead to issues down the road.

03. Explain how and why you collect data

The next important this is to mention why and how your website collects data.

There are many different ways to collect user information, such as:

  1. contact forms

  2. cookies

  3. surveys

  4. course registrations

  5. email newsletter

  6. website analytics (e.g. Google Analytics)

After explaining what we said above, also mention why you’re collecting data. Is it for research purposes? Is it for marketing purposes?

Do you plan to resell the data? Do you plan to notify customers about news, updates and promotions? Do you need this information for processing orders?

Regardless of the reason, your customers have the right to know what companies are doing with their information, so don’t forget to include this in your policy.

04. Describe how users can opt-out

One of the main goals of laws like GDPR and CCPA is to give users more control over the information websites collect about them.

When users allow you to collect their data, that doesn’t mean that they’ve allowed you to collect it indefinitely. At one point, they might want to withdraw their permission and you’re bound by law to let them do so.

Your privacy statement for the website should describe which options users have in case they want to revise any previously-given permissions.

This includes:

  1. Right to request data amendments

  2. Right to request you to delete the acquired information

  3. Right to review the collected information

Describe the process for all three instances in detail and provide users with helpful links and resources that will make the whole process easier and more convenient.

05. Mention if user data is shared with third-parties

If you plan on sharing any user data with third parties, always include a disclaimer in your privacy policy. Third parties include service providers, marketing partners, consultants, credit card processors, etc.

Not disclosing this information puts you at legal risk, because most laws and regulations prioritize transparency.

For example, imagine you shared user information with your marketing agency and you forgot to add a third-party sharing disclosure on your website.

Then, the said marketing agency suffers a data breach and all their data is stolen, including your clients’. You would not only risk your company’s reputation, but you’ll also receive some hefty fines for not being transparent with your customers.

06. Specify how long you will retain user data

According to GDPR, you can only keep the collected user data no longer than it’s necessary for the purposes it was initially obtained for.

The GDPR doesn’t specify a particular timeframe, which is why you should revise this section regularly to ensure compliance.

For example, if you’re collecting data for a contract, you’re legally allowed to store this data for as long as the contract is valid. As long as the data is relevant, you have the right to process it.

Make sure to be very clear and specify a timeframe within which you’ll delete the data once it expires.

While it’s not necessary, you can also add a dedicated ”Data Retention Policy’‘ where you’ll explain different instances and be more specific.

07. Explain how you’ll protect the personal data you collect

Preserving the integrity and security of collected user data is imperative. Your customers are putting their trust in you by allowing you to gather their information.

Your responsibility is to enforce strong security measures to ensure that there’s no data leakage.

Mention how you’re protecting the user information (e.g. using SSL or other computer safeguards). Don’t be too specific in this section.

If you reveal too much, malicious actors will know how to bypass your security measures and compromise the integrity of your website. Instead, be broad and only mention general security practices.

08. Describe the dispute resolution process

A standard website privacy policy should also describe how the dispute resolution process works. Some companies tend to add this section to their Terms and Conditions policy.

We recommend including it into your privacy policy as well, to cover all the bases.

Despite your best efforts to preserve harmony and keep a good relationship with your customers, legal disputes are likely to occur at some point.

Add a sentence or two about dispute resolution and how you handle it (third-party dispute resolution service provider, contact form, customer service, legal firms, etc.)

09. Mention what happens if your online business transfers ownership

Business ownership transfers are a very common occurrence and you never know if and when your website will be a subject of it.

Even if you don’t have any plans to sell your company at this particular moment, it is still a viable possibility in the future.

Including this clause will save you from any possible liability in case you eventually decide to sell your business.

This clause ensures that users are aware that their information might be handed over to a new entity in case of an acquisition.

We also recommend including a clause explaining that, while you’ll use your best efforts to secure your website, you cannot guarantee that it won’t fall victim to malicious exploits.

Nothing is foolproof and you should protect yourself as much as possible in case a data breach happens.

10. Put everything together in one template

Phew! Now that you’ve included everything needed for your privacy policy, collect all the sections and create a template. This is going to save you a lot of trouble and headaches in the long run.

For example, if you decide to create more websites in addition to your existing service, you’ll need a custom privacy policy for every one of them. Instead of going through the strenuous process of drafting it from scratch, you’ll be able to use templates and create privacy policies within minutes.

Legal documents are very complex, which is why having templates on hand will be a true lifesaver. PandaDoc offers all-inclusive privacy policy templates that will protect your business’s interest.

They are compliant with most existing laws and regulations worldwide and will shorten the policy-making process tenfold.

Quick privacy policy best practices checklist

We’ve already discussed the most important contents of every privacy policy. What we didn’t discuss is how to approach the writing process itself.

Here are some tips and tricks on how to make your privacy policy accessible, clear, and understandable:

What should a privacy policy include?

Here’s a quick rundown of the most important items to be found in your company’s privacy policy:

  1. Company information: Name, address, phone number and email address.

  2. Type of collected data: Write this information in specific detail (credit card information, location, IP address, etc.) and note how and where you collected the said data.

  3. Mention the lawful basis for collecting data: Explain which law you’re relying on that gives you permission to collect the mentioned data.

  4. How you protect collected data: Which safeguards are put in place to ensure maximum data security.

  5. How long you’ll retain the collected information: Specify the timeframe within which you plan to use and retain the collected information.

  6. How you’re using the collected data: Explain what exactly you’re doing with user data – marketing purposes, notifications, order processing, data analysis, etc.

  7. List data subject rights: The GDPR law notes eight different types of data subject rights. List and explain them on your website as follows:

  8. Right of access

  9. Right to be informed

  10. Right to erasure

  11. Right to object

  12. Right of rectification

  13. Right of portability

  14. Right to restrict processing

  15. Rights in relation to automated data processing and profiling

Nail your privacy policy now!

Privacy policies may seem like redundancies for many people. But if you want to run a serious business based on integrity and transparency, then you simply must include a proper privacy policy on your website.

If not for the sake of transparency, then do it for the sake of your business.

After all, you are legally obligated to notify your customers about how you handle their data. If you don’t include this on your website, you’re risking some serious consequences that can damage your operations.

0 views0 comments

Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page